CloudSploit

What is the difference between account and group admins?

Modified on: Wed, 20 Jul, 2016 at 9:49 PM

Account admins have permission to make account-wide changes. For example, they can add and remove any connected AWS account (even if they are not in that group), add or remove users, change user groups, add and remove groups, change the account plan, add billing information, delete resources, suppressions, or scans, and delete the account entirely. You should only create a limited number of account admins consisting of highly trusted users.

Group admins have control over the group. They can add or remove users and add or remove connected accounts. They cannot delete the group itself or add new groups (unless they are also an account admin).